Troj/Dagonit-A

Please follow the instructions for removing Trojans.

Troj/Dagonit-A is a multicomponent backdoor Trojan for the Windows platform that allows unauthorized remote access through the randomly open TCP port.

The Trojan creates a user account with the name Service thas is used by the intruder to take over a control of the infected computer.

When Troj/Dagonit-A is installed the following files are created:

<current folder>\dali.reg
<current folder>\dalia2.exe
<current folder>\system.bat
<current folder>\winspool.exe
<current folder>\wpap.exe

where wpap.exe is detected as Troj/Wpap-A.

Troj/Dagonit-A may attempt to replace an original winspool.exe with the Trojan file.

Troj/Dagonit-A sets a number of registry entries including the following:

HKLM\System\CurrentControlSet\Services\RDSessMgr
Start
2
HKLM\System\CurrentControlSet\Services\TermService
Start
2
HKLM\System\CurrentControlSet\Services\TlntSvr
Start
2
HKLM\System\CurrentControlSet\Services\lanmanserver
Start
2

Thus making sure that the following services are started at the restart:

Remote Desktop Help Session Manager
Terminal Services
Telnet
Server

Also the Trojan sets the following registry entries in attempt to modify security settings:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
fDenyTSConnections
0
TSAdvertise
1
IdleWinStationPoolCount
1
TSAppCompat
1
TSEnabled
1
TSUserEnabled
1

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core
EnableConcurrentSessions
0

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core
\WinStations\RDP-Tcp
fEnableWinStation
1
MaxInstanceCount
-1

Troj/Dagonit-A may attempt to delete the following files:

<System>\dllcashe\winlogon.exe
<System>\dllcashe\termsrv.dll
<System>\dllcashe\mstscax.dll